The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).
Huaizhe ZHOU
National University of Defense Technology
Haihe BA
National University of Defense Technology
Yongjun WANG
National University of Defense Technology
Tie HONG
National University of Defense Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Huaizhe ZHOU, Haihe BA, Yongjun WANG, Tie HONG, "On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 1, pp. 177-180, January 2020, doi: 10.1587/transinf.2019EDL8148.
Abstract: The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019EDL8148/_p
Copy
@ARTICLE{e103-d_1_177,
author={Huaizhe ZHOU, Haihe BA, Yongjun WANG, Tie HONG, },
journal={IEICE TRANSACTIONS on Information},
title={On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events},
year={2020},
volume={E103-D},
number={1},
pages={177-180},
abstract={The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).},
keywords={},
doi={10.1587/transinf.2019EDL8148},
ISSN={1745-1361},
month={January},}
Copy
TY - JOUR
TI - On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events
T2 - IEICE TRANSACTIONS on Information
SP - 177
EP - 180
AU - Huaizhe ZHOU
AU - Haihe BA
AU - Yongjun WANG
AU - Tie HONG
PY - 2020
DO - 10.1587/transinf.2019EDL8148
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 1
JA - IEICE TRANSACTIONS on Information
Y1 - January 2020
AB - The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).
ER -